Privacy & Security

My Cloud OS 3 Personal & Network Attached Storage My Cloud
1

This post is informational, not a request for help. I am interested if other members can duplicate my findings,

I am retired from Freddie Mac as an internet security specialist. I have plenty of experience with enterprise security, but not too much hands on at the consumer level. I purchased a 3 TB My Cloud and a 4 TB My Book Studio to be a single point backup system for:

  • 1 Mac Book Pro
  • 1 HP (64 bit) desk top Win 7 and Ubuntu 14.04
  • 1 Dell Studio laptop (64 bit) Win 7 and Ubuntu 14.04
  • 1 Dell Inspiron laptop (32 bit) Ubuntu 14.04
  • 2 iPhone 5
  • Apple TV

These are connected to the Verizon Fios Actiontec M1424WR rev I router.

I was naturally concerned with how WD My Cloud would be accessible from the internet so I carefully monitored my router and found that enabling internet access resulted in unwanted changes to my router’s security.

Here’s an outline of the procedure I followed with results that proved my point:

  • on firewall confirm ports 80 & 443 forwarded WD2go
  • disabled Cloud access on MC using Dashboard
  • on firewall confirm ports 80 & 443 no longer forwarded
  • enabled Cloud access on MC using Dashboard
  • on firewall confirm ports 80 & 443 forwarded WD2go
  • disabled Cloud access on MC using Dashboard

The message in M1424wr rev I router security log

“Mar 7 16:25:45 2015 Firewall Setup Configuration change WBM user Unknown (0.0.0.0) has changed security settings [repeated 3 times, last time on Mar 7 16:29:35 2015]”

An authenticated message:

“Mar 7 09:12:43 2015 Firewall Setup Configuration change WBM user pfeiffep (192.168.1.3) has changed security settings”

Internet access remains disabled on WD My Cloud and have since noticed a HUGE reduction of activity on my router.

I know that WD is selling this to home based consumers, but I do have a concern about the more robust My Cloud series and the lack of transpareny regarding exactly how “internt access is achieved”

I firmly believe in what Sy Syms, a clothing marketier, so eloquently stated…

              “an educated consumer is our best customer”

2

what else can I say - this is the expected behavior if you allowed your router the chance security settings via UPNP.

It is a best pratice to disable any automatic / convenience like UPNP or WPS and manage this manually.

the typical home user dont even knows his router password - this would never work if they had to configure port forwarding and check their logs for scan or check the underlying linux distro for vulnerabilities.

the my cloud is an entry level device with many many known vulnerabilities waiting to be exploited, if you want more, go for a synology, they take more care, or even better, buy a HP microserver and connect via VPN if you need you access something from your network.

1 Like
3

Thank you for your response d-fens.

I am concerned about how companies (WD being only one example) leverage this ignorance without regard to overall Internet security and privacy. The point of posting my findings was to prompt and encourage others to also test and post their findings thusly raising awareness.

I don’t have the financial resources to test WD more advanced offerings and exactly how Internet access is achieved using DL4100 “From anywhere in the world, you are always connected to your My Cloud Business Series NAS” Diving further into the devices capabilities uncovers a full web prescence for the price of a NAS backup!

4

d-fens wrote:

"what else can I say - this is the expected behavior if you allowed your router the chance security settings via UPNP.

It is a best pratice to disable any automatic / convenience like UPNP or WPS and manage this manually."

I totally agree with d-fens that this is directly related to UPnP and is the expected behavior. My transition from securing the enterprise to securing my personal network has been interesting to say the least. I want to correct a misconception about WD install procedure and unauthorized access to my firewall.

By selecting Internet access one is providing the MC application the authority to change one’s router. Another misconception was the message in my router log that I assumed was explicitly WD changing my router it was not

This line was copied from my security log when I disabled UPnP “WBM user Unknown (0.0.0.0) has changed security settings” so the router firmware identifies settings that are hidded from end users as WBM user Unknown

Verizon’s policy is to hide where, and Actiontec tech support stated that I had to contact Verizon who stated they had to contact Actiontec (a real catch 22). Bottom line is Verizon asked Actiontec not to divulge where or how.

If anyone wants to disable UPnP on a Verizon Actiontec M1424WR rev I router here’s the url

        UpNP hidden Menu http://192.168.1.1/index.cgi?active%5fpage=900

 I think that purchasing a router from any vendor should enable the end user to configure it as they please. Verizon’s policy concerning this is highly disrespectful to the customer, and is not in the best interest in protecting user’s security and privacy.

5

actually your setup is privacy-focused, in comparison to android, for example.

http://www.apple.com/privacy/privacy-built-in/

if you ever want to expose your NAS to the internet, which is always questionable - go for another brand.

synology is maybe some 40-50 dollars more expensive.